Fork Bomb limiter les process ulimit

La fork bomb est une forme d’attaque par déni de service contre un système informatique utilisant la fonction fork. Elle est basée sur la supposition que le nombre de programmes et de processus pouvant être exécutés simultanément sur un ordinateur est limité.

Une fork bomb fonctionne en créant un grand nombre de processus très rapidement afin de saturer l’espace disponible dans la liste des processus gardée par le système d’exploitation. Si la table des processus se met à saturer, aucun nouveau programme ne peut démarrer tant qu’aucun autre ne termine. Même si cela arrive, il est peu probable qu’un programme utile démarre étant donné que les instances de la bombe attendent chacune d’occuper cet emplacement libre.

Non seulement les fork bombs utilisent de la place dans la table des processus, mais elles utilisent chacune du temps processeur et de la mémoire. En conséquence, le système et les programmes tournant à ce moment-là ralentissent et deviennent même impossibles à utiliser.

Les fork bomb peuvent être considérées comme un certain type de wabbit (un programme qui s’autoréplique sans utiliser de réseau). (Wikipedia)

Comment se protéger d’une telle attaque sous Linux Unix?

Il faut limiter le nombre de process des utilisateurs. Dans le fichier /etc/security/limits.conf on configure les limitations.
Description du fichier /etc/security/limits.conf

Each line describes a limit for a user in the form:


can be:
an user name
a group name, with @group syntax
the wildcard *, for default entry
the wildcard %, can be also used with %group syntax, for maxlogin limit
can have the two values:
« soft » for enforcing the soft limits
« hard » for enforcing hard limits
can be one of the following:
core – limits the core file size (KB)
can be one of the following:
core – limits the core file size (KB)
data – max data size (KB)
fsize – maximum filesize (KB)
memlock – max locked-in-memory address space (KB)
nofile – max number of open files
rss – max resident set size (KB)
stack – max stack size (KB)
cpu – max CPU time (MIN)
nproc – max number of processes
as – address space limit
maxlogins – max number of logins for this user
maxsyslogins – max number of logins on the system
priority – the priority to run user process with
locks – max number of file locks the user can hold
sigpending – max number of pending signals
msgqueue – max memory used by POSIX message queues (bytes)
nice – max nice priority allowed to raise to
rtprio – max realtime priority
chroot – change root to directory (Debian-specific)

Se connecter en root et éditer le fichier:
# vi /etc/security/limits.conf
Exemple pour éviter un « fork bomb »:

@student hard nproc 50
@faculty soft nproc 100
@pusers hard nproc 200

Il faut ensuite rebooter le serveur. On peut aussi utiliser ulimit pour la session active.
Cette commande permet de définir différents paramètres (soft : modifiables, et hard : non modifiables) pour la gestion de la mémoire et des processus.

Ainsi, dans notre cas, on utilise ulimit de la façon suivante :
Exemple limiter à 30 process les utilisateurs :
# ulimit -u 30
Pour vérifier et lister les limites prises en compte :
# ulimit -a

max user processes (-u) 30

On peut utiliser ulimit pour d’autres paramètres.
Augmenter la stack size. La valeur à indiquer est en Kb.
Si vous avez des programmes qui déclarent de gros tableaux, vous pouvez changer la valeur de la stack size qui est de 8MB par défaut (vous avez besoin d’être super-user) :
# ulimit -s

# ulimit -s 32768

# ulimit -s

Il est aussi possible de fixer les limites soft et hard de façon manuelle. La limite hard n’étant modifiable qu’une seul fois par session, et limitant aussi la limite soft.

Pour modifier la limite soft :
ulimit -S -m 800000

Pour la limite hard :
ulimit -H -m 800000

Sachez toutefois que ces limites ne sont fixés que pour la session courante, il faut donc modifier votre fichier /etc/security/limits.conf

  1. supreme hoodie

    I simply desired to appreciate you once more. I am not sure the things I would’ve achieved in the absence of the actual techniques documented by you directly on my industry. It had been a frightening condition in my view, but considering a new well-written technique you solved it took me to weep for joy. I am just grateful for the support and believe you recognize what a great job that you are undertaking teaching men and women using your webpage. I am certain you haven’t encountered all of us.

  2. lebron 18

    I want to convey my passion for your generosity for people that really want assistance with in this question. Your special dedication to passing the solution up and down had been extraordinarily informative and has all the time made girls like me to achieve their endeavors. Your entire warm and helpful publication indicates so much to me and much more to my peers. Best wishes; from all of us.

  3. yeezy wave runner 700

    I wish to show my respect for your kindness for those people who really need assistance with your study. Your special commitment to getting the solution across had been extraordinarily informative and has regularly allowed regular people just like me to arrive at their goals. This warm and helpful useful information entails a great deal to me and extremely more to my colleagues. Warm regards; from everyone of us.

  4. a bathing ape

    I’m writing to let you know of the really good experience my wife’s daughter encountered browsing your blog. She discovered several things, with the inclusion of how it is like to have an excellent giving mindset to have men and women without problems grasp a number of problematic matters. You truly did more than our own expected results. I appreciate you for imparting the useful, healthy, edifying as well as unique thoughts on the topic to Ethel.

  5. paul george shoes

    I wanted to send you one very small observation so as to say thanks once again for your personal magnificent basics you’ve documented above. This has been certainly pretty generous of you to give unhampered what a number of people would’ve offered for sale for an ebook in making some dough for themselves, particularly considering that you could have tried it if you wanted. Those creative ideas as well worked to become a easy way to recognize that other people online have the same passion just as mine to figure out a great deal more in terms of this issue. I am certain there are several more pleasurable situations ahead for people who see your blog.

  6. kyrie shoes

    I must get across my gratitude for your kindness for individuals that absolutely need help with this important content. Your personal commitment to passing the message along ended up being pretty helpful and has surely permitted some individuals much like me to attain their endeavors. Your personal important hints and tips denotes a lot a person like me and extremely more to my office colleagues. Best wishes; from each one of us.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée.